FLAIR match indecision: reference to function expected
IDA matched code bytes against at least one
signature entry, but failed finding expected
cross-references at certain offsets in the code.
Consider the following .pat file contents:
5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _test ^000F _my_fun0
5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _smuk ^000F _my_fun1
Now, turn that .pat file into a signature (.sig) file, telling
sigmake to include function references into signature
(using the -r switch).
Then, apply that .sig file to a binary that you are
If IDA recognizes the 0x15-bytes long pattern in the binary, it
will check that, at offset 0xF from the start of the match,
a call to either "_my_fun0" or "_my_fun1" is performed.
If either one of the two is found, then that code will
be named "test", or "smuk", respectively.
Otherwise, a SIGFNREF problem will be signalled.
What to do:
Examine the code pointed to by the address at the given
offset (i.e., 0xF) and try and determine whether
that function could be "_my_fun0", or "_my_fun1".
If so, name it accordingly and re-apply the signature.
An alternative is to generate the signature (.sig)
file without the cross-references to functions
(i.e., dropping the '-r' switch).
But beware of collisions: a pattern like the
one above will inevitably create a collision, since the
pattern bytes are similar for the two entries.
| Previous topic
| Next topic